Yesterday, I received a Wi-Fi password by means of a class 0 or “flash” SMS message. In iOS 7, class 0 messages are presented as a grey, full-screen overlay that includes the horizontally- and vertically-centered message text and a single “Dismiss” button:
As per the SMS specification, after pressing “Dismiss”, the overlay and message disappear and the message is immediately discarded, leaving no trace of its delivery on the phone (rather like a text-only antecedent to Snapchat). Before exploring the portions of the SMS specification that deal with class 0 messages, there are a lot of abbreviations that the 3GPP standards group like to use:
|Synonymous with mobile station
|Denotes the capability of the GSM/UMTS system to transfer a short message submitted by the MS to one SME via an SC
|The mobile station to which an MT short message is destined or from which an MO short message is sourced. Synonymous with the term “user equipment” (UE) in UMTS terminology
|Denotes the capability of the GSM/UMTS system to transfer a short message submitted from the SC to one MS
|Function responsible for the relaying and store and forwarding of a short message between an SME and an MS
|Information that may be conveyed by means of the Short Message Service
|Short Message Entity
|Entity which may send or receive Short Messages
|(Transfer) Protocol Data Unit
|A unit of data specified in a protocol of a given layer
|(Universal) Subscriber Identity Module
|Integrated circuit that securely stores the international mobile subscriber identity
With all those laid out, the specification defines a class 0 SMS message as follows:
When a mobile terminated message is class 0 and the MS has the capability of displaying short messages, the MS shall display the message immediately and send an acknowledgement to the SC when the message has successfully reached the MS irrespective of whether there is memory available in the (U)SIM or ME. The message shall not be automatically stored in the (U)SIM or ME.
But where in the various levels of the SMS protocol is a message defined as belonging to a particular class? The SMS protocol stack consists of the following four layers, which interact as depicted in the figure:
- Short Message Application Layer (SM-AL)
- Short Message Transport Layer (SM-TL)
- Short Message Relay Layer (SM-RL)
- Short Message Link Layer (SM-LL)
It is the Short Message Transfer Layer (SM-TL) that defines the class of the message. The SM-TL sits immediately below the Short Message Application Layer (SM-AL), allowing the SM-AL to send and receive messages and receive reports about previously sent messages. The SM-TL defines the following six protocol data units (PDUs):
- SMS DELIVER for conveying a short message from the SC to the MS
- SMS DELIVER REPORT for conveying:
- a failure cause (if necessary)
- information as part of a positive or negative acknowledgement to an SMS-DELIVER or SMS-STATUS-REPORT
- SMS SUBMIT for conveying a short message from the MS to the SC
- SMS SUBMIT REPORT for conveying:
- a failure cause (if necessary)
- information as part of a positive or negative acknowledgement to an SMS-SUBMIT or SMS-COMMAND
- SMS STATUS REPORT for conveying a status report from the SC to the MS
- SMS COMMAND for conveying a command from the MS to the SC
Since we’re interested in how to send class 0 messages, it’s primarily the SMS-SUBMIT and SMS-DELIVER PDUs that are of interest here. The SMS-SUBMIT PDU has the following basic elements:
|Data types: I, Integer; b, bit; 2b, 2 bits; o, Octet; 7o, 7 octets; 2-12o, 2-12 octets.
*Dependent on the TP Data Coding Scheme.
|Message Type Indicator
|Parameter describing the message type.
|Parameter indicating whether or not the service centre shall accept an SMS SUBMIT for a short message still held in the service centre which has the same message reference and destination address as a previously submitted short message from the same originating address
|Validity Period Format
|Parameter indicating whether or not the VP field is present.
|Parameter indicating the request for reply path.
|User Data Header Indicator
|Parameter indicating that the user data field contains a header.
|Status Report Request
|Parameter indicating if the MS is requesting a status report.
|Parameter identifying the SMS SUBMIT.
|Address of the destination SME.
|Parameter identifying the above layer protocol, if any.
|Data Coding Scheme
|Parameter identifying the coding scheme within the TP User Data.
|Parameter identifying the time from where the message is no longer valid.
|User Data Length
|Parameter indicating the length of the UD field to follow.
Assigning a class to the short message is achieved using the Data Coding Scheme field, which serves two purposes: specifying the data coding scheme of the UD field, and indicating a message class. The DCS field is a single octet, the use of which varies depending on the value of bits 4-7. A message class can be specified in the cases where bits 4-7 are set to 00xx or 1111. In the former case, bit 5 indicates whether or not the text is compressed, bit 4 indicates whether a message class has been specified, bits 2 and 3 indicate the character set and bits 0 and 1 specify the class (if bit 4 is equal to 1). So, for instance, 00010000 (0x10) would indicate an uncompressed class 0 message using the GSM 7 bit default alphabet and 00110100 (0x34) would represent a compressed class 0 message with an 8 bit-encoded UD field. A standard class 1 message would only differ in having the final bit (bit 0) set to 1. So there we have our answer.
As a brief adjunct, the SMS specification also makes provision for type 0 short messages, as distinct from class 0. Type 0 short messages are defined as follows (emphasis added):
A short message type 0 indicates that the ME must acknowledge receipt of the short message but shall discard its contents. This means that:
- the MS shall be able to receive the type 0 short message irrespective of whether there is memory available in the (U)SIM or ME or not
- the MS shall not indicate the receipt of the type 0 short message to the user
- the short message shall neither be stored in the (U)SIM nor ME
The key difference is the device doesn’t notify the user that the message has arrived at all. In his 2005 book, Mobile Messaging Technologies and Services, Le Bodic noted that these messages are used “to page a mobile to check if the mobile is active without the user being aware that the mobile station has been paged.” It seems that type 0 messages are therefore quite popular with surveillance agencies. (Link in German; translation here.)
In terms of assigning a type to the SMS, the pertinent field in the PDU is the Protocol Identifier, which consists of a single octet for the purpose of either referring to the higher layer protocol being used, or indicating interworking with a certain type of telematic device (such as telex or paging systems). In the SMS-DELIVER PDU, when the value of bit 5 in the octet is set to 0, bits 0-4 identify the SM-AL protocol in use between the SME and the MS, which defines the message type. A value of “00000” here indicates a type 0 message. Since bit 6 must be 1 in order to toggle examination of the first five bits, the type 0 Protocol Identifier is simply 01000000 (0x40).